Mantis Bugtracker

Простой вид комментарии ] расширенный вид ] история ] печать ]
Номер Категория Серьезность Воспроизводимость Создан Изменен
0000491 [obex-data-server] General авария всегда 2010-10-25 07:01 2010-10-25 08:44
Инициатор ulidtko Видимость общая  
Ответственный skirsdeda
Приоритет обычный Решение открыт  
Состояние назначен   Версия продукта
Суть 0000491: Segmentation fault, caused by double-finalizing obex_t contexts in failed usb sessions
Подробности When `ods_obex_setup_usbtransport()` failes to bring up the interface, it `OBEX_Cleanup()`s the created OBEX context. Afterwards, when freeing the session in `ods_session_finalize()`, the context gets `OBEX_Cleanup()`ed again, resulting in double-frees and SIGSEGV.

The following patch is not a solution, but rather a workaround to avoid crashes. It relies on `OBEX_Cleanup()` handling NULLs gracefully.

Index: src/ods-obex.c
===================================================================
--- src/ods-obex.c (revision 3050)
+++ src/ods-obex.c (working copy)
@@ -429,7 +429,10 @@
 
 err:
     if (obex_context->obex_handle)
+ {
         OBEX_Cleanup (obex_context->obex_handle);
+ obex_context->obex_handle = NULL;
+ }
     return FALSE;
 }
Дополнительные сведения Valgrind session, without the patch:

obex-data-server 0.4.6svn
Using Session bus
Session created by: :1.711
session_connect_result_cb
session closed
Removing listened DBUS name :1.711 (object: /org/openobex/session0)
Removed from listened DBUS names list
==32417== Invalid read of size 4
==32417== at 0x426BCE4: obex_transport_disconnect_request (obex_transport.c:244)
==32417== by 0x426598C: OBEX_Cleanup (obex.c:228)
==32417== by 0x8063315: ods_session_finalize (ods-session.c:1052)
==32417== by 0x4054653: g_object_unref (gobject.c:2695)
==32417== by 0x4058CB0: g_object_set_valist (gobject.c:1696)
==32417== by 0x4059075: g_object_set (gobject.c:1795)
==32417== by 0x805415D: ods_manager_create_usb_session (ods-manager.c:870)
==32417== by 0x41E2DDE: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x41E338D: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x4214F5D: ??? (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x4206EB6: dbus_connection_dispatch (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x41DF39C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== Address 0x458f794 is 52 bytes inside a block of size 252 free'd
==32417== at 0x40257ED: free (vg_replace_malloc.c:366)
==32417== by 0x42659DD: OBEX_Cleanup (obex.c:238)
==32417== by 0x8056D1E: ods_obex_setup_usbtransport (ods-obex.c:432)
==32417== by 0x80620C1: ods_session_set_property (ods-session.c:766)
==32417== by 0x4058959: g_object_set_valist (gobject.c:1174)
==32417== by 0x4059075: g_object_set (gobject.c:1795)
==32417== by 0x805415D: ods_manager_create_usb_session (ods-manager.c:870)
==32417== by 0x41E2DDE: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x41E338D: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417== by 0x4214F5D: ??? (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x4206EB6: dbus_connection_dispatch (in /lib/libdbus-1.so.3.5.2)
==32417== by 0x41DF39C: ??? (in /usr/lib/libdbus-glib-1.so.2.1.0)
==32417==
Tэги Нет прикрепленных тэгов.
Вложенные файлы

- Связи

-  Комментарии
(0001389)
skirsdeda (администратор)
2010-10-25 08:44

Thanks for bug report. The solution seems fine, it should probably be applied to ods_obex_setup_fdtransport() as well.

- история
Дата изменения Пользователь Поле Изменение
2010-10-25 07:01 ulidtko Новый вопрос
2010-10-25 07:05 ulidtko Отслеживать: ulidtko
2010-10-25 08:44 skirsdeda Комментарий добавлен: 0001389
2010-10-25 08:44 skirsdeda Состояние новый => назначен
2010-10-25 08:44 skirsdeda Ответственный => skirsdeda


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Powered by Mantis Bugtracker